<div dir="auto">I was going to ask you about the preferred way to handling this on MS4W to update the docs and/or MS4W package but got busy with other tasks today.<div dir="auto"><br></div><div dir="auto">It seems like something that should be in the httpd.conf for the geomoose package, but that might conflict with other installed apps.</div><div dir="auto"><br></div><div dir="auto">One thing that might work well across multiple uncoordinated apps is how I've been installing mapserver on most of my servers where the mapfile controls the URL instead of /cgi-bin/mapserv. Then since apache sees the actual mapfile paths, you can set MS_MAP_NOPATH and MS_MAPFILE (I'm working from memory now so I probably got the names wrong, but hopefully it still makes sense) environment variables and use the standard <Directory> and <File> apache directives to limit what is accessible (potentially different per user).</div><div dir="auto"><br></div><div dir="auto">This does change the URLs though so apps would have to be reconfigured for it.</div><div dir="auto"><br></div><div dir="auto">I'll forward details when I get back to my main computer.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 31, 2021, 15:02 Jeff McKenna <<a href="mailto:jmckenna@gatewaygeomatics.com">jmckenna@gatewaygeomatics.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear GeoMoose community, please see the message below for those running <br>
MS4W (or MapServer on any operating system) on public-facing servers. <br>
thank-you.<br>
<br>
<br>
<br>
-------- Forwarded Message --------<br>
<br>
Hello everyone,<br>
<br>
As the security of MS4W on your public-facing server is important, <br>
please take some time to review the possible security steps to enable <br>
for MS4W at: <br>
<a href="https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation" rel="noreferrer noreferrer" target="_blank">https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation</a> You <br>
will notice MS4W examples, as well as instructions to use an online tool <br>
for testing your MS4W instance.<br>
<br>
As stated there, setting the *MS_MAP_PATTERN* environment variable is <br>
strongly recommended for your server instance.<br>
<br>
The past few weeks (and especially the past few days, which were full of <br>
intense regular expression testing) I have been working with Steve Lime <br>
closely and other MapServer steering committee members, to release the <br>
security advisory for MapServer: <br>
<a href="https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html" rel="noreferrer noreferrer" target="_blank">https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html</a><br>
<br>
Future MS4W releases will likely be tighter, with definitely the popular <br>
.exe installer setting & enabling the *MS_MAP_PATTERN* regular <br>
expression on-the-fly, for new installations, as well as providing a few <br>
default settings in the distributed Apache httpd.conf file.<br>
<br>
MS4W security is my priority, always has been, and I hope the examples <br>
and expressions that I provided in the MS4W readme above, help everyone <br>
implement, and take some of the fear of expressions away.<br>
<br>
Thank-you all.<br>
<br>
<br>
--<br>
Thank-you for using MS4W.<br>
"MS4W: open doors as well as windows"<br>
<br>
-jeff<br>
<br>
<br>
-- <br>
Jeff McKenna<br>
GatewayGeo: Developers of MS4W, MapServer Consulting and Training<br>
co-founder of FOSS4G<br>
<a href="http://gatewaygeo.com/" rel="noreferrer noreferrer" target="_blank">http://gatewaygeo.com/</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Geomoose-users mailing list<br>
<a href="mailto:Geomoose-users@lists.osgeo.org" target="_blank" rel="noreferrer">Geomoose-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geomoose-users" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/geomoose-users</a><br>
</blockquote></div>